The purpose of the Device and Media Control, Media Reuse Policy is to establish guidelines for the removal of ePHI from electronic media before the media is made available for re-use.
Definitions
- Device: For the purposes of this policy devices are considered to be electronic hardware (including but not limited to workstations, personal computers, servers, laptops, copiers, fax machines, and handheld units) with storage capability to record and save ePHI.
- Storage Media: Including but not limited to disk drives, tapes, floppy disks, CD’s, zip disks, flash cards, USB memory sticks, optical disks, and hard copies.
- Data sanitization. Data sanitization refers to the process of permanently and irreversibly removing or destroying data that is stored in a system or a component of the same such as memory device. Data Sanitization may also be used on standalone storage devices.
Any equipment or storage media that contains confidential, critical, internal use only, and/or private information will be sanitized by appropriate means or destroyed by the Security Officer or his/her appointed designee before the equipment/media is reused.
Specifically speaking, all devices with storage capabilities shall be sanitized prior to the re-issuance or repurposing of the device. In specific circumstances, and upon the approval of the Security Manager or designated representative, sanitization requirements may be modified or bypassed altogether.
Additional consideration prior to reusing any ePHI capable device include:
- Hard drives, servers and printer/peripheral must be cleansed prior to transfer to a new user.
- Temporary storage of data on “smart” devices such as photocopiers with internal hard drives or memory must be cleansed prior to transfer.
